This project is read-only.


[CORS] The origin URL in CORS in the settings should follow the CORS spec


URL like and should treated as same origin [1]. It is not true in current implementation. We compare the CORS origin literally without normalizing the string given by user through EnableCors therefore cause CORS rejection which is difficult to find.

The schema of origin is restrictively defined hence we can normalize the user setting. Matching / Comparing origins are defined in RFC6454 [2]

Closed Sep 9, 2013 at 10:41 PM by trdai


yaohuang wrote Aug 20, 2013 at 10:11 PM

We added the validation so that users can provide only valid origins. E.g. would not be a valid origin even though it's a valid URL. Browser clients would not send the origin header with the trailing slash. The checkin that added the validation was: